140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe
Size

3.6MB
MD5

6fe64bf8f3b4991c3a9f614d9a9491c0
SHA1

da15d811d1542e6d56c0e7f54f21eb3cf14ee4c9
SHA256

140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6
SHA512

9336dff8a9ffda852dabedb0d127b043016492df468e091ffec26444ab6802c6d4f9db3d1377205ce5ee09e71bfb3366b3e8d968cb677d4eb874d1b529d00f4b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8:sxX7QnxrloE5dpUpkbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe

Executes dropped EXE 2 IoCs

pid	Process
2592	sysabod.exe
2656	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe
1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW8\\devbodloc.exe"	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax89\\optixloc.exe"	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe
1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe
2592	sysabod.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe
2656	devbodloc.exe
2592	sysabod.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2592	1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe	28
PID 1252 wrote to memory of 2592	1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe	28
PID 1252 wrote to memory of 2592	1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe	28
PID 1252 wrote to memory of 2592	1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe	28
PID 1252 wrote to memory of 2656	1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe	29
PID 1252 wrote to memory of 2656	1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe	29
PID 1252 wrote to memory of 2656	1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe	29
PID 1252 wrote to memory of 2656	1252	140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe	29

C:\Users\Admin\AppData\Local\Temp\140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe
"C:\Users\Admin\AppData\Local\Temp\140a80e53ab2ab604346065efa45809bf3b8bf44a1ff02e28beb450fb839f8c6.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\IntelprocW8\devbodloc.exe
  C:\IntelprocW8\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax89\optixloc.exe

Filesize
3.6MB

MD5
68b07f02482fd0330aea977a096200dc

SHA1
25fe9e05a09653c1275affc34a1ec098ef9b40d7

SHA256
17c127db8dcc098460eb35979bb46c4bf63caff6d09b14c03566b8795091a4b6

SHA512
8f6859e4f19825f97ad8b5debaf034af53aaa63d9cbee3e888ebad7596100e7144ee9b34ea38e8e1665b8efd6055068a5e7e356ac8961be3130319efc151be06

Download Submit
C:\Galax89\optixloc.exe

Filesize
3.6MB

MD5
24bf1c125adc1784eae03160cbaed216

SHA1
e307424e9a4612ccea2a4dd1d6b24b073460585d

SHA256
e465b653f47390347a029aca2e7caf910f36fbe8f585222a806dc48576046618

SHA512
8c14a313e994aa1c114faa138f4558f786a23c698a389b7f3be96c418d77d4e4554967a2ac4844c77d781ec43852f9969d014336acbd67eac18f2f9ee74c824a

Download Submit
C:\IntelprocW8\devbodloc.exe

Filesize
3.6MB

MD5
41d72cca6ead798b4c5c1bfdfa493533

SHA1
2a0a62421f9c7a491e871e583bc55392f235e8af

SHA256
151f741fc5948ec246312ddd1c6778ec6e6b499174a9b3cbdd1fb0d3fb1ae5cb

SHA512
f8f34db9fd85d129d51df7cfebc975eca06bc9e21c9d3810425d30ffb5f2264d56c33f06fa595586ea6393acc4a267488777bead3adb8e5e44d05ec148d122a8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
f6d6aedee493a00a08428e3d7e9fe2b0

SHA1
5ddfe1fcd8a4f57bc62b520975d4ece5a9541430

SHA256
b2450dee8265bd7707e74d7cfbd785032dd049c63327ae8bdefbfba47bbe7a4c

SHA512
5f82dae4ae4e159ba1994fd49aa5a8fbdc547e06fe65f76941344bb0ecc84cd585ae568189529ffc9e334d57a4be448c476a037ab938c2d7d6ab684b1e6ec2e6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
1f9b4ad561ce1d6536852618bdf9801f

SHA1
b89b0d9d52a83d408cd4f42075b51774ac991472

SHA256
1fa59eac26e33d87c5140df8122dc4be7a29a8b8642663cb38ecc61babe81cfd

SHA512
23138bae729e84e96b090b948008d3fc308567bb2a5ee5765cbbc9d12436acca364353178476c67484ed4419df648b8d98d0809dcb57da396901e72654a9d621

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.6MB

MD5
2cfc4b238e2da8a48d37556d9846828d

SHA1
2ce482d287f813b45e44149171d4cf8901b44b87

SHA256
643b7302b69d006c183f22e0a504f593ceeea194c6ce7a5107facd5001b2a90a

SHA512
fda7fd8567ce4563a71ebf9f2561898f8ebe8a4f7b75423f0cf5387997d6a0495ba283120ad1059a968799ca94463931db4a83f90a8f615d9616cd2fffbe309f

Download Submit